[Git][security-tracker-team/security-tracker][master] new redmine, node-tar, edk2 issues

Wed, 11 Aug 2021 02:19:39 -0700 


Moritz Muehlenhoff pushed to branch master at Debian Security Tracker / 
security-tracker


Commits:
e8ebb8cf by Moritz Mühlenhoff at 2021-08-11T11:19:04+02:00
new redmine, node-tar, edk2 issues

- - - - -


1 changed file:

- data/CVE/list


Changes:

=====================================
data/CVE/list
=====================================
@@ -67,7 +67,7 @@ CVE-2021-38514 (Certain NETGEAR devices are affected by 
authentication bypass. T
 CVE-2021-38513 (Certain NETGEAR devices are affected by authentication bypass. 
This af ...)
        NOT-FOR-US: Netgear
 CVE-2021-38512 (An issue was discovered in the actix-http crate before 
3.0.0-beta.9 fo ...)
-       TODO: check
+       NOT-FOR-US: Rust crate actix-http
 CVE-2021-38510
        RESERVED
 CVE-2021-38509
@@ -321,9 +321,9 @@ CVE-2021-38386 (In Contiki 3.0, a buffer overflow in the 
Telnet service allows r
 CVE-2021-38385
        RESERVED
 CVE-2021-38384 (Serverless Offline 8.0.0 returns a 403 HTTP status code for a 
route th ...)
-       TODO: check
+       NOT-FOR-US: Serverless Offline
 CVE-2021-38383 (OwnTone (aka owntone-server) through 28.1 has a use-after-free 
in net_ ...)
-       TODO: check
+       NOT-FOR-US: OwnTone
 CVE-2021-38382 (Live555 through 1.08 does not handle Matroska and Ogg files 
properly.  ...)
        - liblivemedia <removed>
        NOTE: 
http://lists.live555.com/pipermail/live-devel/2021-August/021959.html
@@ -3086,7 +3086,8 @@ CVE-2021-37158
 CVE-2021-37157
        RESERVED
 CVE-2021-37156 (Redmine 4.2.0 and 4.2.1 allow existing user sessions to 
continue upon  ...)
-       TODO: check
+       - redmine <unfixed>
+       NOTE: https://www.redmine.org/projects/redmine/wiki/Security_Advisories
 CVE-2021-37155 (wolfSSL 4.6.x through 4.7.x before 4.8.0 does not produce a 
failure ou ...)
        - wolfssl <unfixed> (bug #991443)
        [bullseye] - wolfssl <no-dsa> (Minor issue)
@@ -11029,9 +11030,9 @@ CVE-2021-33705
 CVE-2021-33704
        RESERVED
 CVE-2021-33703 (Under certain conditions, NetWeaver Enterprise Portal, 
versions - 7.30 ...)
-       TODO: check
+       NOT-FOR-US: NetWeaver
 CVE-2021-33702 (Under certain conditions, NetWeaver Enterprise Portal, 
versions - 7.10 ...)
-       TODO: check
+       NOT-FOR-US: NetWeaver
 CVE-2021-33701
        RESERVED
 CVE-2021-33700
@@ -13105,9 +13106,13 @@ CVE-2021-32806 (Products.isurlinportal is a 
replacement for isURLInPortal method
 CVE-2021-32805
        RESERVED
 CVE-2021-32804 (The npm package "tar" (aka node-tar) before versions 6.1.1, 
5.0.6, 4.4 ...)
-       TODO: check
+       - node-tar <unfixed>
+       NOTE: 
https://github.com/npm/node-tar/security/advisories/GHSA-3jfq-g458-7qm9
+       NOTE: 
https://github.com/npm/node-tar/commit/1f036ca23f64a547bdd6c79c1a44bc62e8115da4
 CVE-2021-32803 (The npm package "tar" (aka node-tar) before versions 6.1.2, 
5.0.7, 4.4 ...)
-       TODO: check
+       - node-tar <unfixed>
+       NOTE: 
https://github.com/npm/node-tar/security/advisories/GHSA-r628-mhmh-qjhw
+       NOTE: 
https://github.com/npm/node-tar/commit/9dbdeb6df8e9dbd96fa9e84341b9d74734be6c20
 CVE-2021-32802
        RESERVED
 CVE-2021-32801
@@ -13204,7 +13209,7 @@ CVE-2021-32770 (Gatsby is a framework for building 
websites. The gatsby-source-w
 CVE-2021-32769 (Micronaut is a JVM-based, full stack Java framework designed 
for build ...)
        NOT-FOR-US: Micronaut
 CVE-2021-32768 (TYPO3 is an open source PHP based web content management 
system releas ...)
-       TODO: check
+       NOT-FOR-US: Typo 3
 CVE-2021-32767 (TYPO3 is an open source PHP based web content management 
system. In ve ...)
        NOT-FOR-US: Typo 3
 CVE-2021-32766
@@ -24678,7 +24683,8 @@ CVE-2021-3437
 CVE-2021-3436
        RESERVED
 CVE-2021-28216 (BootPerformanceTable pointer is read from an NVRAM variable in 
PEI. Re ...)
-       TODO: check
+       - edk2 <unfixed>
+       NOTE: https://bugzilla.tianocore.org/show_bug.cgi?id=2957
 CVE-2021-28215
        RESERVED
 CVE-2021-28214
@@ -28567,7 +28573,7 @@ CVE-2021-26608
 CVE-2021-26607
        RESERVED
 CVE-2021-26606 (A vulnerability in PKI Security Solution of Dream Security 
could allow ...)
-       TODO: check
+       NOT-FOR-US: Dream Security
 CVE-2021-26605 (An improper input validation vulnerability in the service of 
ezPDFRead ...)
        NOT-FOR-US: ezPDFReader
 CVE-2021-26604
@@ -30271,7 +30277,7 @@ CVE-2021-25956
 CVE-2021-25955
        RESERVED
 CVE-2021-25954 (In &#8220;Dolibarr&#8221; application, 2.8.1 to 13.0.4 
don&#8217;t res ...)
-       TODO: check
+       - dolibarr <removed>
 CVE-2021-25953 (Prototype pollution vulnerability in 'putil-merge' 
versions1.0.0 throu ...)
        NOT-FOR-US: Node putil-merge
 CVE-2021-25952 (Prototype pollution vulnerability in 
&#8216;just-safe-set&#8217; versi ...)



View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8ebb8cfec9c803f356bb34fc487913e546633f8

-- 
View it on GitLab: 
https://salsa.debian.org/security-tracker-team/security-tracker/-/commit/e8ebb8cfec9c803f356bb34fc487913e546633f8
You're receiving this email because of your account on salsa.debian.org.



_______________________________________________
debian-security-tracker-commits mailing list
[email protected]
https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/debian-security-tracker-commits

Reply via email to